2014-10-02 - PHISHING EMAIL - SUBJECT: JOB IN FINANCIAL SERVICE
ASSOCIATED FILES:
- ZIP file of the malware: 2014-10-02-phishing-malware.zip
NOTES:
- I couldn't generate any network traffic on the infected VM. I also tried two different sandbox environments without any luck.
- If I get the chance, I'll run the malware on a bare-metal host and update this blog post.
PHISHING EMAIL DETAILS
SCREENSHOT:
MESSAGE TEXT:
From: Thane Bradford <builderwork@groupcarreerrr.com>
Reply-To: Thane Bradford <careerwork@careerbuilderr.net>
Date: Thursday, October 2, 2014 at 20:58 UTC
To:
Subject: Job in financial service
Good morning!!!
The companys careerbuilder has a good offer for you. One of the most successful financial service companies is hiring workers and you can be a part of successful team. If you are smart and motivated - send your resume to us.
Our customer offers a practical training period.
The average every year salary varies from 300K to 400K$.
You can get more information from the attachment below this letter.
We appreciate your time. Thank you for reading this info.
Attachment: INFO.zip (244.7 KB)
PRELIMINARY MALWARE ANALYSIS
EMAIL ATTACHMENT:
File name: INFO.zip
File size: 181.1 KB ( 185477 bytes )
MD5 hash: eccf92708f49ac1ec097fae8feb71cde
Detection ratio: 5 / 55
First submission: 2014-10-02 21:36:11 UTC
VirusTotal link: https://www.virustotal.com/en/file/a4660af9d6fdae34ccb7b6b788f6f8b510247d4508ea44d5e1c949de045c8486/analysis/
EXTRACTED MALWARE:
File name: INFO.scr
File size: 312.5 KB ( 320000 bytes )
MD5 hash: 58e3dd640785871be87dbeeb982d4b7a
Detection ratio: 3 / 55
First submission: 2014-10-02 22:10:48 UTC
VirusTotal link: https://www.virustotal.com/en/file/b4c6fa2b61a97269a6e7b244183558d636681127329f5be3ea0c18d7518daa1e/analysis/
Malwr link: https://malwr.com/analysis/ZWY4MTA4YmVlZmNhNDg3Y2EwNDU1Zjk2NGRiN2NiY2Q/
SCREENSHOTS
When running the malware in a Windows 64-bit VM, I got the following error:
I renamed the file to an EXE extension and ran it as an administrator. The malware copied itself to C:\ProgramData\explorer.exe and created the following registry entry in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run:
FINAL NOTES
Once again, here are the associated files:
- ZIP file of the malware: 2014-10-02-phishing-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.